Good evening Exchange System lovers,
As you probably already read on the internet somewhere, one of the key topics around Exchange 2007 is security. Without directly diving into antispam/antivirus stuff, this post will cover the SMTP Authentication aspects which can/cannot be configured on our E2K7 box.
By default, Exchange 2007 establishes and allows only secure (read: encrypted, authenticated) connections on its SMTP gateway. Meaning, it expects an authenticated user logging in on the SMTP service from the outside. However, almost all "public" email systems which run SMTP do not make use of authentication. Otherwise, if we wanted to mail to somedude@trycatch.be, our Exchange server should need a username and password for authenticating with the SMTP server of the TryCatch domain. That would be some nice idea, creating an SMTP Directory Services Service for maintaining authentication credentials for all domains we ever want to send mail to :) Hello Microsoft, can you build this into the next version? a suggestion : SAD (SMTP Active Directory) Services... (gottem?)
Now back serious:
Considering the previous paragraph, having Exchange running its SMTP engine waiting for authenticated connections, gives the nasty fact that when installing the Exchange server out of the box (next, next, finish for the non-techies), SMTP connections from the outside are not allowed. Even your SMTP Relay server in DMZ (if not the great Exchange Edge Server is used - hey people, is there honestly any other SMTP Relay Server still existing besides Exchange Edge Role Servers nowadays?? :) ?) will not be able to transfer mails to your Exchange server.
Off course, as we want to use our new 8k € server for sending and receiving mail asap, we need some configuration work to do for allowing the "Non-Authenticated" communications.
Here are the steps to do this:
Exchange Management Console / Server Configuration / Hub Transport / Receive Connectors:
This will show 2 entries by default:
-
Default <ServerName>
-
Client <ServerName>
Select the Default / Properties / Permission Groups Tab
=> AHA, found it => select anonymous users
After this, non-authenticated communications are back possible to our server.
As were are here in this configuration window anyway, by going to the Network Tab, you can specify the internal local IP-address(es) en port(s) should be used on the Exchange Server for incoming SMTP traffic. From the option thereunder, you specify the IP-address(es) of the servers that we want to allow traffic from (eg. our SMTP Relay Server in DMZ - again, if not Exchange Edge Server)
That's it for today folks ! Stay tuned for the next series of "Why you hit your head when installing Exchange 2007 for the first time".
Grtz,
Peter - PDT IT
Posted
May 24 2007, 01:18 AM
by
Peter De Tender